hw/uefi: check auth.hdr_length minimum size
auth.hdr_length maximum is already checked (against buffer size). The
header has some fixed fields which are included in the header length, so
there also is a minimum size which must be verified. Add a check for
that. Fixes possible integer underflow.
While being at it replace the magic number '24' with sizeof calculations
for better code documentation.
Fixes: CVE-2026-8341
Fixes: f1488fac0584 ("hw/uefi: add var-service-auth.c")
Reported-by: Feifan Qian <bea1e@proton.me>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20260512060523.17493-1-kraxel@redhat.com>
diff --git a/hw/uefi/var-service-auth.c b/hw/uefi/var-service-auth.c
index 795f2f5..f3dc9c6 100644
--- a/hw/uefi/var-service-auth.c
+++ b/hw/uefi/var-service-auth.c
@@ -194,7 +194,7 @@
return EFI_SUCCESS;
}
- if (auth.hdr_length == 24) {
+ if (auth.hdr_length == (sizeof(auth) - sizeof(auth.timestamp))) {
/* no signature (auth->cert_data is empty) */
return EFI_SECURITY_VIOLATION;
}
@@ -228,6 +228,9 @@
}
memcpy(&auth, data, sizeof(auth));
+ if (auth.hdr_length < (sizeof(auth) - sizeof(auth.timestamp))) {
+ return EFI_SECURITY_VIOLATION;
+ }
if (uadd64_overflow(sizeof(efi_time), auth.hdr_length, &data_offset)) {
return EFI_SECURITY_VIOLATION;
}
diff --git a/hw/uefi/var-service-pkcs7.c b/hw/uefi/var-service-pkcs7.c
index c859743..8a1f139 100644
--- a/hw/uefi/var-service-pkcs7.c
+++ b/hw/uefi/var-service-pkcs7.c
@@ -113,9 +113,9 @@
memcpy(&auth, data, sizeof(auth));
pkcs7 = g_new(gnutls_datum_t, 1);
- pkcs7->size = auth.hdr_length - 24;
+ pkcs7->size = auth.hdr_length - (sizeof(auth) - sizeof(auth.timestamp));
pkcs7->data = g_malloc(pkcs7->size);
- memcpy(pkcs7->data, data + 16 + 24, pkcs7->size);
+ memcpy(pkcs7->data, data + sizeof(auth), pkcs7->size);
wrap_pkcs7(pkcs7);